The very short, very easy answer is: hell yes! Absolutely, positively you need a firewall.
With all that happens on the internet these days, it’s simply too risky to let your computer sit “naked” on the internet unless you really know what you’re doing. The real question is what kind of firewall do you need?
The very good news these days is that it’s very likely that you’re already behind a firewall and don’t need to do a thing.
But you should make sure.
Become a Patron of Ask Leo! and go ad-free!
What’s a firewall?
Let’s be clear: every computer should have or be behind a firewall. Possibly even both.
Firewalls are your first line of defense against an entire class of network-based threat that is constantly (yes, constantly) attempting to attack your computer. Those threats are stopped cold simply by having a firewall.
And there’s a good chance you already have one. Possibly even two.
In your car, a firewall is the “wall” of metal between you and the engine. Its purpose is to prevent engine fires from reaching you.
A firewall for your computer is much the same, except that the engine – the network you’re connected to – is always on fire. The point of a firewall is to keep you from getting burned.
A firewall protects your computer from network-based threats.
Almost all computers on the internet are under constant attack. Malware on other machines, hackers, botnets, and more are waging a slow but extremely persistent war, probing the internet to find unprotected vulnerabilities on other internet-connected computers. If they find such a vulnerability, they infect the machine that they’ve found, or worse.
The basic concept of a firewall is very simple: it blocks or filters certain types of network traffic from ever reaching your computer.
Traffic that you want to reach your computer:
- Websites pages that you visit
- Software that you download
- Music or videos that you might watch
- And more…
Other traffic that you definitely don’t want:
- Your neighbor’s machine, infected with a botnet, trying to connect to your machine over the network to spread the infection.
- Overseas hackers trying to gain entry to your machine over the network to steal your personal information.
- And more …
A firewall knows the difference.
If you look at the sets of examples above, they differ in one important aspect:
- Things you want are connections that you or your computer initiate. On your order, your computer reaches out and asks for the webpages you visit, the software that you download or the music you might listen to.
- Things that you don’t want are connections that are trying to come in from outside.
That’s an easy distinction for a firewall to make.
Two basic types of firewalls
A router sitting between your computer and the internet is one of the best and most cost-effective firewalls that the average computer user can have. It’s usually a piece of equipment that sits physically between your computer and where the wires plug into the wall, with flashing lights that tell you it’s on duty.
The router’s job is to “route” data between the computer(s) and the internet.
Routers also allow you to share an internet connection by what’s called “Network Address Translation“. NAT “translates” between the single IP address you’ve been given by your internet service provider, and the IP addresses assigned to your machines by the router.
Routers watch for connections initiated by your computer reaching out to resources on the internet. When a connection is made, the router keeps track, so when a response comes back on that connection, it knows which of your local machines gets the data.
The side effect is that if an outside computer tries to start a connection, the router doesn’t know which computer to send it to. All it can do is ignore the attempt. That effectively blocks everything on the internet from trying to start a connection to a machine on your local network.
And that automatically makes your router a powerful incoming firewall.
Your router will not, however, filter outgoing traffic.
Software firewalls are programs that run on your computer. They operate as close to the network interface as possible, and monitor all your network traffic.
If you’re not using a router, all of the network traffic will still technically reach your machine, but the firewall prevents malicious traffic from getting any further. Much like a router, a software firewall prevents the rest of your system from even realizing that there is any malicious traffic.
In addition, some software firewalls can be configured to monitor outgoing traffic. If your machine becomes infected and some malware attempts to “phone home” by connecting to a known malicious site, or tries to infect other machines on your network, a software firewall can warn you and block the attempt.
All current versions of Windows have a software firewall built in and turned on by default. Windows may even annoy you into ensuring that the firewall is either turned on (in Control Panel) or that you’re aware of the risks in not having it turned on.
The Windows firewall is primarily an incoming-only firewall.
Choosing and setting up a firewall
In general, I recommend using a broadband router as your firewall. Since it’s very likely you already have one, that means you’re pretty much done.
There is disagreement. Some believe that an outgoing firewall is important. My position is that an outgoing firewall doesn’t really protect; it simply notifies after something bad has happened.
Routers are pretty common, and nearly a requirement for anyone who has more than one computer sharing an internet connection (though I’d recommend you use one even if you have only one computer). If you have a NAT router, you have a firewall without needing to burden each computer with additional software.
Software firewalls do make sense in a very important situation: they are critical when you can’t trust other computers on your local network.
Don’t trust the kids’ ability to keep their computer safe on the internet? Enable the software firewall on your computer.
Heading out to the local open WiFi hotspot? Turn on the software firewall before you connect.
In later versions of Windows, the built-in firewall has matured to the point where it’s actually quite reasonable to leave it on all the time, even if you’re behind a router. It seems to impact operations very little and saves you from remembering to turn it on when you travel or have that not-so-trustworthy guest on your network.
That’s why I said earlier that you might, in fact, have two firewalls already: your router and your Windows firewall. And that’s quite OK.
What firewalls can’t do
It’s important to remember that a firewall can’t protect you from everything.
A firewall protects you from threats that arrive via malicious connection attempts from elsewhere on the internet. A firewall will not protect you from things that you invite onto your machine yourself, such as email, attachments, downloads, and removable hard drives.
Nonetheless, protection from network attacks remains critically important.